All articles tagged with Debian

Sebastian Krahmer and Marius Tomaschewski discovered that dhclient of dhcp3, a DHCP client, is not properly filtering shell meta-characters in certain options in DHCP server responses. These options are reused in an insecure fashion by dhclient scripts. This allows an attacker to execute arbitrary commands with the privileges of such a process by sending crafted DHCP options to a client using a rogue server. Updated packages are available from security.debian.org.

Sebastian Krahmer and Marius Tomaschewski discovered that dhclient of isc-dhcp, a DHCP client, is not properly filtering shell meta-characters in certain options in DHCP server responses. These options are reused in an insecure fashion by dhclient scripts. This allows an attacker to execute arbitrary commands with the privileges of such a process by sending crafted DHCP options to a client using a rogue server. Updated packages are available from security.debian.org.

Daniel Danner discovered that tmux, a terminal multiplexer, is not properly dropping group privileges. Due to a patch introduced by Debian, when invoked with the -S option, tmux is not dropping permissions obtained through its setgid installation. Updated packages are available from security.debian.org.

Ricardo Narvaja discovered that missing input sanitising in VLC, a multimedia player and streamer, could lead to the execution of arbitrary code if a user is tricked into opening a malformed media file. Updated packages are available from security.debian.org.

Several vulnearbilities were discovered in the TIFF manipulation and conversion library: A buffer overflow allows to execute arbitrary code or cause a denial of service via a crafted TIFF image with JPEG encoding. A buffer overflow allows to execute arbitrary code or cause a denial of service via a crafted TIFF Internet Fax image file that has been compressed using CCITT Group 4 encoding. Heap-based buffer overflow in the thunder (aka ThunderScan) decoder allows to execute arbitrary code via a TIFF file that has an unexpected BitsPerSample value. Updated packages are available from security.debian.org.

It was discovered that BIND, a DNS server, contains a race condition when processing zones updates in an authoritative server, either through dynamic DNS updates or incremental zone transfer (IXFR). Such an update while processing a query could result in deadlock and denial of service. In addition, this security update addresses a defect related to the processing of new DNSSEC DS records by the caching resolver, which may lead to name resolution failures in the delegated zone. Updated packages are available from security.debian.org.

Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal. Updated packages are available from security.debian.org.

Two security vulnerabilities have been discovered in Mahara, a fully featured electronic portfolio, weblog, resume builder and social networking system. A security review commissioned by a Mahara user discovered that Mahara processes unsanitized input which can lead to cross-site scripting (XSS). Mahara Developers discovered that Mahara doesn’t check the session key under certain circumstances which can be exploited as cross-site request forgery (CSRF) and can lead to the deletion of blogs. Updated packages are available from security.debian.org.

Sebastian Krahmer discovered that the gdm3, the GNOME Desktop Manager, does not properly drop privileges when manipulating files related to the logged-in user. As a result, local users can gain root privileges. Updated packages are available from security.debian.org.

This update for the Iceape internet suite, an unbranded version of Seamonkey, updates the certificate blacklist for several fraudulent HTTPS certificates. Updated packages are available from security.debian.org.

Mathias Svensson discovered that tex-common, a package shipping a number of scripts and configuration files necessary for TeX, contains insecure settings for the shell_escape_commands directive. Depending on the scenario, this may result in arbitrary code execution when a victim is tricked into processing a malicious tex-file or this is done in an automated fashion. Updated packages are available from security.debian.org.

It has been discovered that the Quagga routing daemon contains two denial-of-service vulnerabilities in its BGP implementation. A crafted Extended Communities attribute triggers a null pointer dereference which causes the BGP daemon to crash. The crafted attributes are not propagated by the Internet core, so only explicitly configured direct peers are able to exploit this vulnerability in typical configurations. The BGP daemon resets BGP sessions when it encounters malformed AS_PATHLIMIT attributes, introducing a distributed BGP session reset vulnerability which disrupts packet forwarding. Such malformed attributes are propagated by the Internet core, and exploitation of this vulnerability is not restricted to directly configured BGP peers. Updated packages are available from security.debian.org.

Witold Baryluk discovered that MaraDNS, a simple security-focused Domain Name Service server, may overflow an internal buffer when handling requests with a large number of labels, causing a server crash and the consequent denial of service. Updated packages are available from security.debian.org.

Stephane Chazelas discovered that the cronjob of the PHP 5 package in Debian suffers from a race condition which might be used to remove arbitrary files from a system. Updated packages are available from security.debian.org.

It was discovered that libvirt, a library for interfacing with different virtualization systems, did not properly check for read-only connections. This allowed a local attacker to perform a denial of service (crash) or possibly escalate privileges. Updated packages are available from security.debian.org.

Several issues have been discovered in libcgroup, a library to control and monitor control groups. A heap-based buffer overflow by converting list of controllers for given task into an array of strings could lead to privilege escalation by a local attacker. libcgroup did not properly check the origin of Netlink messages, allowing a local attacker to send crafted Netlink messages which could lead to privilege escalation. Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in ProFTPD, a versatile, virtual-hosting FTP daemon: Incorrect handling of the ABOR command could lead to denial of service through elevated CPU consumption. Several directory traversal vulnerabilities have been discovered in the mod_site_misc module. A SQL injection vulnerability was discovered in the mod_sql module. Updated packages are available from security.debian.org.

Several vulnerabilities were discovered in the Chromium browser. Google Chrome does not properly implement JavaScript dialogs, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document. Google Chrome does not properly process nodes in Cascading Style Sheets (CSS) stylesheets, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a “stale pointer.” Google Chrome on 64-bit Linux platforms does not properly perform pickle deserialization, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

Google Chrome does not properly handle tables, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a “stale node.” Google Chrome does not properly render tables, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a “stale pointer.” An integer overflow in Google Chrome allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a TEXTAREA element.

The WebGL implementation in Google Chrome allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. Updated packages are available from security.debian.org.

Several vulnerabilities have been discovered in webkit, a Web content engine library for Gtk+. WebKit does not properly handle dynamic modification of a text node, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document. The rendering implementation in WebKit allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. WebKit does not properly perform a cast of an unspecified variable during processing of an SVG use element, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted SVG document.

WebKit does not properly handle animated GIF images, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted image. A use-after-free vulnerability in WebKit allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG animations. A use-after-free vulnerability in Webkit allows remote attackers to cause a denial of service via vectors related to the handling of mouse dragging events The CSSParser::parseFontFaceSrc function does not properly parse Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted local font, related to “Type Confusion.”

WebKit does not properly perform cursor handling, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to “stale pointers.” WebKit does not properly perform a cast of an unspecified variable during handling of anchors, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted HTML document WebKit does not properly restrict drag and drop operations, which might allow remote attackers to bypass the Same Origin Policy via unspecified vectors.

Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. Roberto Suggi Liverani discovered that the sanitising performed by ParanoidFragmentSink was incomplete. Crashes in the layout engine may lead to the execution of arbitrary code. Zach Hoffmann discovered that incorrect parsing of recursive eval() calls could lead to attackers forcing acceptance of a confirmation dialogue. Christian Holler discovered buffer overflows in the Javascript engine, which could allow the execution of arbitrary code.

“regenrecht” and Igor Bukanov discovered a use-after-free error in the JSON-Implementation, which could lead to the execution of arbitrary code. Daniel Kozlowski discovered that incorrect memory handling the web workers implementation could lead to the execution of arbitrary code. Peleus Uhley discovered a cross-site request forgery risk in the plugin code. Updated packages are available from security.debian.org.

It was discovered that the ISC DHCPv6 server does not correctly process requests which come from unexpected source addresses, leading to an assertion failure and a daemon crash. Updated packages are available from security.debian.org.

Dominik George discovered that logwatch does not guard against shell meta-characters in crafted log file names (such as those produced by Samba). As a result, an attacker might be able to execute shell commands on the system running logwatch. Updated packages are available from security.debian.org.

Philip Martin discovered that HTTP-based Subversion servers crash when processing lock requests on repositories which support unauthenticated read access. Updated packages are available from security.debian.org.

Several vulnerabilities have been found in the Iceape internet suite, an unbranded version of Seamonkey. Roberto Suggi Liverani discovered that the sanitising performed by ParanoidFragmentSink was incomplete. Zach Hoffmann discovered that incorrect parsing of recursive eval() calls could lead to attackers forcing acceptance of a confirmation dialogue. Crashes in the layout engine may lead to the execution of arbitrary code.

Christian Holler discovered buffer overflows in the Javascript engine, which could allow the execution of arbitrary code. “regenrecht” and Igor Bukanov discovered a use-after-free error in the JSON-Implementation, which could lead to the execution of arbitrary code. Daniel Kozlowski discovered that incorrect memory handling the web workers implementation could lead to the execution of arbitrary code. Peleus Uhley discovered a cross-site request forgery risk in the plugin code.

Ansgar Burchardt discovered several vulnerabilities in DTC, a web control panel for admin and accounting hosting services. The bw_per_moth.php graph contains an SQL injection vulnerability. Insufficient checks in bw_per_month.php can lead to bandwidth usage information disclosure. After a registration, passwords are sent in cleartext email messages. Authenticated users could delete accounts using an obsolete interface which was incorrectly included in the package. Updated packages are available from security.debian.org.